Cyber-attacks targeting attorneys and law firms are increasing in frequency. In 2022, 27% of respondents to the American Bar Association’s Legal Technology Survey reported that their firm had experienced a cyber security breach.[1] While some cyber-attacks compromise sensitive information, others are utilized to carry out more sophisticated schemes. One such scheme targets attorneys who wire funds to or on behalf of their clients. It typically unfolds like this:
First, a hacker gains access to an attorney’s e-mail account and monitors their e-mail traffic until being alerted that the attorney will be initiating a wire transfer. The hacker then creates a sham e-mail address to impersonate the intended recipient of the funds. Usually, the sham e-mail address is almost identical to that of the intended recipient. The hacker uses the sham e-mail address to provide fraudulent wiring instructions to the attorney. The hacker may even attempt to rush the transaction by stating that time is of the essence or that the funds must be transferred that same day.
After the attorney wires the money, the hacker immediately transfers the funds to an overseas bank account. By the time the attorney realizes that the intended recipient didn’t receive the funds, the money is long gone.[2]
Attorneys have an ethical duty to safeguard client funds,[3] and “should hold property of others with the care required of a professional fiduciary.”[4] Attorneys should take reasonable steps to minimize the risk of wire-fraud schemes. North Carolina’s State Bar Ethics Committee recently outlined the reasonable measures attorneys may be able to implement to minimize the risks associated with wire transfers.[5] The measures include warning parties to a transaction about the risks associated with wire transfers and verifying wire instructions by phone before transferring any funds.[6]
These schemes also present liability risks for attorneys. Attorneys who wire funds to an unintended recipient could face a suit from actual interest-holders in the funds. The interest-holders may try to claim damages from the loss of intended use of the funds, as well as the direct loss of the funds. And, depending on the attorney’s coverage, such claims may not be covered under a cyber-risk or professional-liability policy.
How can you protect your clients, third parties interested in funds held in trust, and your firm? Start with these steps:
- Make sure your firm has wire transfer protocols in place and that these protocols are followed whenever funds are to be wired. Protocols should include verification of wiring instructions by means other than by email.
- Become familiar with common signs of a scam, such as receiving last-minute changes to wiring instructions or being asked to urgently complete the transaction.
- Be on the look-out for sham e-mail addresses that contain slight variations from those of the proper sender or recipient.
- Consider implementing more sophisticated security measures such as e-mail encryption.
- Keep up to date on current risks. The State Bar of Michigan publishes the details of common scams targeting attorneys.[7]
Wire fraud scams present real risks for attorneys. These risks may be mitigated by staying up to date on common scams targeting attorneys, implementing cyber security measures, and instituting wire transfer protocols that include verifying wiring instructions by telephone before wiring any funds.
[1] American Bar Association, 2022 Legal Technology Survey Report <https://www.americanbar.org/groups/law_practice/publications/techreport/2022/cybersecurity/> (accessed February 27, 2023).
[2] A hacker may gain access to the email account of any party involved the transaction, including the intended recipient of the funds. The scheme typically unfolds the same way regardless of which e-mail account that has been compromised.
[3] MRPC 1.15(d).
[4] MRPC 1.15 Official Comment.
[5] North Carolina State Bar, 2020 Formal Ethics Opinion 5.
[6] Id.
[7] State Bar of Michigan, Scams Targeting Attorneys Reported in Michigan <https://www.michbar.org/generalinfo/scamalerts> (accessed February 27, 2023).
Subscribe to receive Collins Einhorn blog posts.